Wednesday, June 8, 2016

NSA’s Curious Goal-Post Moving on Snowden’s Complaints

In our piece on NSA’s response to requests for records of Edward Snowden’s complaints, Jason Leopold and I reported that a senior NSA official apologized to Admiral Mike Rogers for providing insufficient context about Snowden’s contacts with oversight entities before Snowden’s email to OGC got released on May 29, 2014. (See PDF 6 for the email and response as they got publicly released.) More importantly, we reported that the apology — written after several days of fact-checking — included at least one clear error. After we pointed that out to the intelligence community and asked questions for clarification, the NSA significantly moved the goalposts on its claims about whether Snowden had raised concerns, denying that Snowden had talked to the top three NSA officials rather than lower level ones. Here’s why I think that’s significant.

Conflicting claims about what happened between compliance and Snowden

On April 8, 2014, NSA learned that an upcoming Vanity Fair piece would include a claim from Edward Snowden that “I contacted N.S.A. oversight and compliance bodies.” (PDF 13)

Apparently in response to that claim, on the following day a woman involved in training in Signals Intelligence Compliance and Oversight (what the NSA calls SV) wrote up an exchange she had with Snowden a year earlier. (PDF 147) Here’s how that email appeared on April 10, after at least one draft.

The individual appeared at the side of my desk in the SV training area during the timeframe between 5 – 12 April 2013, shortly after lunch time. He did not introduce himself and instead asked if he could talk to someone about the OVSC1203 [Section 702] course. I indicated that he could talk to me. He seemed upset and proceeded to say that he had tried to take OVSC1203 and that he had failed. He then commented that he felt we had trick questions throughout the course content that made him fail. SV Training has standard (canned) responses we use to respond to questions like this. I introduced myself and provided the information to him. My comments were standard and part of our “canned” responses, and informed him that the OVSC courses did not contain any trick questions and that all of the answers to the test questions could be located within the course content (our standard response when someone states they have failed any of our courses). Also, as part of our standard response with this type of question, we remind the student that the course is open book and not timed, also part of our routine canned response. I also reminded him that students receive multiple attempts to successfully pass the course and if they are not successful after multiple attempts he would need to contact us for further assistance. He seemed to have calmed down by then and said he still thought the questions tricked the students but he would try again.

Several pieces of evidence in the email collection suggest this email was the first time she wrote up the exchange (though I imagine there’s an FBI 302 of an interview with her). Not only did no other written version of it get turned over in Leopold’s FOIA, but when the Chief of SV explained the exchange to superiors, no claim of contemporaneous report was made. (PDF 255) Similarly, there’s no definitive written evidence of this report getting reported to the various investigators (though there is one piece of evidence it may have been orally described). In addition, the woman had to revise at least the dates during which she described the exchange taking place on April 10, suggesting she wasn’t working from an existing written document. (PDF 300)

On May 29, 2014, first Dianne Feinstein (there’s evidence she was prodded by someone at NSA or ODNI) released Snowden’s email exchange with OGC, then NSA formally released it.

Later the evening of May 29, Edward Snowden told WaPo the release did not include “correspondence” with SV in which he said they “believed that a classified executive order could take precedence over an act of Congress.”

Today’s release is incomplete, and does not include my correspondence with the Signals Intelligence Directorate’s Office of Compliance, which believed that a classified executive order could take precedence over an act of Congress, contradicting what was just published. It also did not include concerns about how indefensible collection activities – such as breaking into the back-haul communications of major US internet companies – are sometimes concealed under E.O. 12333 to avoid Congressional reporting requirements and regulations.

About an hour and a half after Feinstein had released Snowden’s email on May 29 but before WaPo published Snowden’s claim, the Media Leaks Task Force discovered the write-up of the SV exchange from April, but did not release it publicly (meaning when Snowden made his claim, he did not know they had written up the exchange). Around, or even before that, OGC realized that some of the discussions they were having would have to be turned over in response to this FOIA, and then-General Counsel Raj De “ask[ed] that no one else comment on the low-side [less secure] (or add additional folks to the e-mail exchange),” (PDF 148), so it’s not clear subsequent discussions about this exchange got released in the FOIA.

In response to conflicting claims, NSA does a fact check … and then an internal apology

In the days thereafter, NSA Chief of Staff Elizabeth Brooks got asked to fact check the claims that had been made so far, with the SV Chief and Deputy Chief providing more details on the exchange. It appears there was a senior meeting, probably including Admiral Rogers, at 10AM on June 3, at which someone (probably Brooks) wrote down (PDF 261) “conversation between Snowden & compliance officer where he complained / wants in writing exactly what Snowden has done in writing and verbally.”

Later that day, “the accountable NSA official for Media Disclosures issues” wrote Admiral Rogers a pretty remarkable apology for not providing sufficient context about Snowden’s interactions. (PDF 96) It’s remarkable that it happened — kudos to Admiral Rogers for trying to get clarity on this issue. But it’s remarkable, too, because even after the two day fact-checking process, the apology endeavoring to keep NSA leadership fully informed did not do so.

The error in the apology email

For example, the apology does not tell Rogers that the face-to-face exchange could have happened on one of the same days as the OGC email (and definitely happened within the same week), making it more likely the OGC email and the SV face-to-face exchange were actually two parts of the same exchange (Snowden would have known SV had been involved in his OGC response from both the final response he got, as well as the email forwarding the question from OGC to SV, which got forwarded to him). The apology also, like NSA’s response to this FOIA, doesn’t disclose what got discussed between 7 people as they decided who and how to respond to Snowden’s email (the apology itself, because it gave Rogers the redacted version of Snowden’s email released to the public, would have obscured that 7 people were involved in this response, but he could have gotten that information in previous email threads had he read them closely). It also makes what — given the evidence in the emails, at least — appears to be a clear error by claiming that the SV woman wrote up her exchanges with Snowden in response to NSA’s request for information on contacts with him: “In response to the June 2013 Agency All (See Attachment B) [the SV training woman] provided in writing her account of these engagements.”

That claim appears to be erroneous on two counts.

First, SV had already reported at least the OGC exchange before the Agency All email went out. Attachment B in the apology is a screen cap of the website version of the Agency All request for details on interactions with Snowden.

It includes no timestamp information at all. But a copy of the email we received shows it went out at 11:30 on June 10, 2013, the day after Guardian released a video of Snowden taking credit for the leak. (PDF 187) Given the emails we have, it appears that first thing in the morning the day after Snowden’s admission, well before that email went out, some people in SV discussed the exchanges they had had with Snowden two months earlier. Then, the training woman forwarded what appear to be 4 different versions of the OGC thread to her supervisors with no more than a few word comment (which is one reason there must have been a face-to-face discussion), starting at 9:15; we got just 2 of these 4 email threads. Then, Chief SV forwarded one of those threads to NSA’s security chief Kemp Ensor at 10:02. (PDF 256-7)

Here’s another data point on the Snowden situation. If you have a POC you’d prefer I send these to, please let me know.

The reference to “another data point” suggests Chief SV had already provided Ensor one data point (which could well be the face-to-face exchange), but we received no record of that having been made in writing.

The last exchange involving SV, when Snowden helped troubleshoot a technical problem in August 2012, did get reported in response to the Agency All email; the person forwarded the exchange internally to SV colleagues (though note, this email likely also has its metadata reflecting who was party to it screwed up) at 12:06, (PDF 135) and SV Chief forwarded it to the Chief, Compromise Investigations Branch, the contact listed on the Agency All email, at 12:51 (PDF 192). In that email, SV Chief did not mention that one or two data points, including one email, had already been sent to Ensor.

Below is an email exchange between SV and Edward Snowden. If we find others, we’ll forward them to you

Note that, on May 29 when the face-to-face contact was discovered again, a Special Agent in Counterintelligence said that contact was “news to me” (PDF 230), so it appears that face-to-face contact did not get reported (at least in written form) to the people who spent the next year researching Snowden’s contacts.

This part of the error in the apology may be fairly innocuous (indeed, it suggests SV was proactive about these contacts with Snowden). But the fact that SV reported them before any order to do so shows they believed they were (or it was) fairly significant.

The other error seems more problematic, however. After two days of having very senior NSA people fact-checking, the person apologizing to Admiral Rogers for not providing sufficient context stated that the SV training woman had written up both exchanges “in response to the June 2013 Agency All.” The SV training woman did provide the emails involved in the OGC exchange on June 10 (though again, before the Agency All went out). But the evidence shows that she wrote up the face-to-face exchange in response to Snowden claiming he had had exchanges with oversight and compliance a year later. If, as the evidence suggests, that email was written only after Snowden made public claims that the communication existed, Rogers surely should have been told that.

Neither side wants to explain that Snowden to SV exchange

Given all this evidence, my guess is that the truth lies somewhere in-between NSA’s claims about that face-to-face email (not least because there is little chance Snowden, who was on his way out the door, would really have been distressed about failing an open book test) and what Snowden claimed in 2014. It may well have happened in the context of a discussion about 702 training, but there are plenty of loopholes in 702 to believe that SV told Snowden that there were ways around the spirit of the law (as they said in training on the Section 215 dragnet, which advised analysts to rerun queries under 12333 to be able to disseminate them more widely). If Snowden got SV to confirm that it endorsed those loopholes, however, it would constitute an example where it endorsed an EO trumping the law, in spirit though not necessarily in law.

Leopold and I tried to get some clarity on what happened between Snowden and SV in April 2013, but neither side wanted to explain it. We asked Snowden specific questions about what training he had taken and when, whether he had really failed, what other emails, in addition to the two from OGC that he kept in a separate folder, he had saved, among other questions. He declined to cooperate in our story.

With NSA, it was even odder. In my interview with Bob Litt, I laid out the seeming problems with the apology, fully expecting him to share that with NSA, which he did. After Litt shared that information, NSA told us they’d be providing answers to our questions and, possibly, a statement to be attributed to Deputy Director Rick Ledgett. (That’s important not just for his seniority, but because, before he assumed the Deputy Director position, he was in charge of the response to Snowden, which means the person who apologized would have reported to him.)

We gave the NSA questions a week ago Tuesday. Among other things, we asked whether there was a contemporaneous record of the SV to Snowden contact, what the “other data point” referred to by the SV Chief might be, whether we could have all the emails the SV training woman forwarded to her supervisors, whether we could have the drafts of her email describing her interaction with Snowden (of which at least one exists), and whether we could have the emails between the 7 people deciding who and how would respond to Snowden; I believe at least some of these things are responsive to Leopold’s FOIA. As late as Friday afternoon, when NSA explained the metadata problems with its FOIA response, they said they might have a response for us. Then, at 11:40 PM, they released all the emails, which we took as an attempt to pre-empt our story, which led to a frantic effort from editors to pull the story together to release that day (the tactic probably would have worked better if both Leopold and his editor weren’t in CA).

NSA moves the goalposts on its Snowden claims

Which is why I’m so interested in what NSA said after spending several days at least considering answering questions about what happened between Snowden and SV.

As part of its response to Snowden, NSA developed a Q&A document (starting at PDF 516; see PDF 522-523) that made this claim about Snowden’s efforts to raise issues internally (they gave a hilariously abbreviated version of this to us as their only official comment for the story, as if we hadn’t seen how they edited it along the way to limit their claims about what was in place when Snowden was at the agency). It included these statements summarizing what they had found from Snowden.

NSA is unaware of any correspondence Edward Snowden had with the NSA Inspector General, the Office of General Counsel, or his supervisors wherein he expressed constitutional concerns about NSA’s intelligence operations or authorities. We have found one instance of an e-mail inquiry to the office of General Counsel asking for an explanation of the content of some training material.

[snip]

We have located additional email between Snowden and members of Office of General Counsel and Oversight and Compliance relating to his job duties and work on troubleshooting IT issues, but these emails do not contain any questions or concerns about the legal authorities under which NSA operates.

Here’s what NSA said in their cover letter accompanying the public email release around midnight Friday.

Today the National Security Agency (NSA) is making public more than 200 documents it recently released under the Freedom of Information Act. The documents illustrate that, as the Agency reported in May 2014, NSA conducted a thorough search of e-mail and has no records of any e-mail from former NSA contractor Edward Snowden to Agency officials raising concerns about NSA programs.

The documents posted today reveal the details of the Agency’s many efforts to locate the alleged e-mail. Despite an exhaustive search that included looking for all of Mr. Snowden’s e-mail available on NSA systems and in NSA’s email repositories, the Agency has no record that he submitted complaints to senior NSA leadership – including the NSA Director, Deputy Director, and Executive Director. In addition, the Agency does not have any records that he submitted any complaints to the NSA Inspector General or the General Counsel challenging NSA programs.

On May 29, 2014, NSA publicly released one e-mail inquiry from Mr. Snowden, as well as the accompanying response from NSA’s Office of General Counsel. The e-mail did not raise allegations or concerns about wrongdoing or abuse. It posed a legal question that the Office of General Counsel addressed. There was no additional follow-up noted.

Let’s start with the final paragraph, which is a comment about what NSA said in May 2014 regarding its Snowden release. “There was no follow-up noted.” That’s different from saying, “NSA has found no records of follow-up,” which would be pertinent response to the question of whether NSA has since determined the interaction with the SV woman — which, again, may have happened on one of the same days as she had a role in fielding the OGC question — was or may have been part of the exchange with OGC.

I’m more interested in the previous paragraph, however. “[T]the Agency has no record that he submitted complaints to senior NSA leadership – including the NSA Director, Deputy Director, and Executive Director.” That’s not something Snowden has ever claimed! Why, at this stage of the game, release a statement denying something that Snowden has never claimed? Unless the release of the emails, with actions implicating DIRNSA Rogers and current Deputy Director Ledgett, making the latter look less than stellar, led to the need to deny things that are off-topic of how they responded to requests for information? (For the record, I think the emails themselves — including Rogers’ personal follow-up on FOIA progress — make the DIRNSA look great, but the response to our questions makes me wonder how much of that was just show.)

Finally, I’m interested in the slightly altered claims about what Snowden said to OGC. Even out of context, his initial question had to have pertained to whether EO 12333 could trump FISA (I FOIAed the actual training course in question but NSA rather bizarrely either did not treat that as a FOIA pertaining to these issues or did not treat me as a journalist and it remains unfulfilled.) That’s a concern about a legal authority, but it’s not a concern about specific programs (the USSID-18 training would apply across the board at NSA, not to specific programs, though the 702 training obviously pertains to one authority).

So what?

Most people I’ve talked to about this have dismissed the importance of Snowden complaining about two different training programs in a week, as just pertaining to training. But I’m interested in it, especially, because this is the compliance office designed to keep spying within legal bounds. I asked Thomas Drake about the office — I gave him absolutely no context, so he was answering as if I were talking about what SV would do if they had found a compliance problem, rather than what they would do if someone asked them about following the law. Drake explained their job was to treat any compliance problems such that they would go away, “These are positions that are designed to protect the institution from bad news, even internally. So, you know, ‘We’ll turn bad news into good news.'”

Again, I can’t say what happened either in the face-to-face encounter between Snowden and the SV training woman, nor what happened with SV’s response to requests for information on encounters with Snowden. No one wants to talk about it. But I do find it interesting that NSA was happy to address the issue until we posed questions that would get to what really happened.

No comments:

Post a Comment

To reduce spam, this alternate site requires users register to comment or use OpenID. Comments on posts more than (5) days old subject to moderation. Comments posted at this site will not appear at the original/primary site.